Windigo malware attack infects 25,000 servers

Researchers have become aware of a malware attack that has infected 25,000 UNIX servers worldwide and affects in the region of 500,000 computers every day.

The attack, dubbed “Operation Windigo”, was uncovered by Slovakian security firm ESET and CERT-Bund, the Swedish National Infrastructure for Computing.

It is estimated that around 60 per cent of servers are vulnerable and, once hijacked, are being used to send out spam emails. More than 35 million emails are currently being sent every day, with cPanel and kernel.org two organisations that have fallen foul of the attack so far.

Data theft

The malicious code is designed to hijack servers and infect the computers that visit them or the websites they host. Once in control of a server, Windigo steals information and serves users with redirects to exploit kits, adverts for dating sites or pornography, depending on the operating system employed by the user.

According to ESET, Windigo has been increasing in strength and size largely unnoticed for over two and a half years. “Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk,” said ESET security researcher Marc-Étienne Léveillé.

“Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”

ESET has published a blog post and report that provide details of Windigo, including an explanation of how system administrators and webmasters can check whether or not their servers are compromised. Instructions for removing the malicious code are also provided.